Skip to Search Skip to Global Navigation Skip to Local Navigation Skip to Content
Handbook of Operating Procedures
Chapter 11 - Information Technology
Previous Publication Date: October 31, 2018
Publication Date: August 2, 2022
Policy Reviewed Date: November 27, 2023
Policy Owner: VP for Information Technology


11.07 Cloud Computing


I. POLICY STATEMENT


This policy establishes requirements for the selection of a Cloud Service Provider and the establishment and administration of the related Cloud Service contract to ensure compliance with applicable The University of Texas at San Antonio (世界杯官方app) policies and standards, Texas Administrative Code TAC 202 C, and The University of Texas System (UT System) Information Technology Resources Use and Security Policy (UTS 165)


II. RATIONALE


The process for selection of a Cloud Service Provider and the establishment and administration of the related Cloud Service contract must ensure adequate security controls, as defined within the OIS Standard for Cloud Computing and TX-RAMP, are in place that is commensurate to the information security risks involved in the applicable contract.


III. SCOPE


This policy applies to 世界杯官方app’s acquisition of any and all services from a Cloud Services Provider and the use of cloud services.


IV. WEBSITE ADDRESS FOR THIS POLICY


http://4whz.aksarayyeralticarsisi.com/hop/chapter11/11.07.html


V. RELATED STATUTES, POLICIES, REQUIREMENTS OR STANDARDS


  1. University of Texas System Policies or the Board of Regents' Rules & Regulation
    1. UT System Policy UTS 165: Standard 11.2: Safeguarding Data - Non-世界杯官方app Third-Party Storage Services.
    2. 世界杯官方app HOP policy 11.01, Information Technology Resources Use and Security Policy.
    3. 世界杯官方app HOP policy 11.02, Data Owner Policy.
    4. 世界杯官方app HOP policy 11.03, Acceptable Use Policy.
    5. 世界杯官方app HOP policy 11.04, Information Security Incident Response.
    6. 世界杯官方app HOP policy 11.10, The Organization and Appropriate Use of the Internet at 世界杯官方app.
    7. 世界杯官方app Office of Information Security (OIS) Standard for Cloud Services.
    8. Data Classification Guidelines.
    9. President-Delegated Authorities.
  2. Other Policies and Standards
    1. Texas Administration Code (TAC) Chapter 202, Subchapter C §§ 202.70-202.77, Information Security Standards for Institutions of Higher Education.
    2. Texas Government Code § 2054.0593, Cloud Computing State Risk and Authorization Management Program
    3. Texas Government Code § 2054.003, Paragraph (13), Definitions

VI. CONTACTS


If you have any questions about Handbook of Operating Procedures policy 11.07, Cloud Computing, contact one of the following offices:

  1. Office of Information Security
    210-458-7974
    informationsecurity@aksarayyeralticarsisi.com
  2. 世界杯官方app Tech Solutions
    210-458-4555
    TechCafe@aksarayyeralticarsisi.com  

VII. DEFINITIONS


  1. Cloud Services
    1. Services that maintain, store, or process Data on a network of remote technology platforms and servers outside of 世界杯官方app’s Information Technology Resources.
  2. Cloud Services Provider
    1. A third-party provider of Cloud Services. These providers will host Information Technology Resources that process or store Data outside of 世界杯官方app’s direct control.
  3. Data
    1. Information that is recorded - regardless of form or media – that is used to support the mission of 世界杯官方app, whether in an administrative or educational capacity.
    2. Data may be saved or transmitted in hard copy (printed or written), digital/electronic (including video, audio, images), or other formats on 世界杯官方app Information Resources.
  4. Data Classification
    1. The category of data based on data risk categories outlined in the official 世界杯官方app Data Classification Guidelines.
  5. Data Owner
    1. The 世界杯官方app College, Vice President Unit, department, or individual that requests Cloud Services or controls the Data and performance related to the contract with the Cloud Services Provider.
  6. Data User
    1. An individual who is authorized by the Data Owner to access the Information Technology Resource, in accordance with the Data Owner's procedures and rules, whether done individually or through facilitation or responsibility for an automated application or process.
  7. Information Security Administrator
    1. A designated staff member or Data Custodian for each Department who, in close cooperation with the OIS, is assigned to implement and administer information security initiatives and assist other Data Custodians and/or Data Owners within the respective Department with any security needs.
  8. Information Technology Resources
    1. The procedures, equipment, facilities, software, and Data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information. This may include, but is not limited to, any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving email, browsing websites, or otherwise capable of receiving, storing, managing, or transmitting Data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, mobile devices, pagers, distributed processing systems, network-attached and computer-controlled medical and laboratory equipment (e.g., embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and hosted services.
  9. President-Delegated Authority
    1. Those individuals with a written delegation of authority from the President of 世界杯官方app to execute and deliver contracts on behalf of 世界杯官方app. Only these delegated individuals can execute and commit 世界杯官方app to a contract.
  10. Sensitive Data
    1. Data with a classification of Category I or Category II under 世界杯官方app Data Classification Guidelines.
  11. TX-RAMP
    1. Texas Risk and Authorization Management Program was established by the Texas Legislature (Senate Bill 475), now Texas Government Code section 2054.0593. TX-RAMP provides a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency.

VIII. RESPONSIBILITIES


  1. Data Owner
    1. Ensures selection, use, and administration of its Cloud Services are consistent with this policy and other applicable 世界杯官方app and UT System policies, standards, and procedures.
    2. Ensures the Data is categorized and designated under the appropriate Data Classification.
    3. Provides the required information necessary for the completion of the risk assessment described in this policy.
    4. Initiates procurement of Information Technology Resource goods and services contracts and data sharing agreements by either the Business Contracts Office, the Procurement Office, or 世界杯官方app Tech Solutions.
  2. Office of Information Security (OIS)
    1. Disseminates any applicable security criteria for use in selecting a Cloud Service Provider.
    2. Performs risk assessments of Cloud Services Providers in accordance with 世界杯官方app and UT System policies and Security Standards and provides determinations and recommendations based on risk assessments.
    3. Coordinates with the Business Contracts Office, 世界杯官方app Tech Solutions, Procurement Office, and/or Chief Privacy Officer (CPO) in determining appropriate confidentiality terms and conditions for Cloud Services contracts, taking into consideration the risk level of the contract and the Data Classification involved with the Cloud Services.
  3. Business Affairs
    1. For Cloud Services contracts with a total value exceeding the competitive procurement limit, the Purchasing Office:
      1.1 coordinates with OIS and 世界杯官方app Tech Solutions in the selection of Cloud Service Providers, and (if applicable) coordinates with Business Contracts Office, OIS, and/or CPO when establishing the contract involving the sharing of Sensitive Data.
      1.2 provides OIS with access to the applicable Cloud Service purchase order contract.
    2. For Cloud Services contracts with a total value below the competitive procurement limit, the Business Contracts Office:
      2.1 Coordinates with OIS, 世界杯官方app Tech Solutions, and/or the CPO in determining appropriate confidentiality terms and conditions for Cloud Services contracts submitted to Business Contracts Office and coordinates with 世界杯官方app Tech Solutions and OIS to take into consideration the risk level of the contract, the security of the Data, and the Data Classification involved with the Cloud Services.
      2.2 Provides OIS with access to the applicable Cloud Service contract.

IX. PROCEDURES


  1. Cloud Services Risk-Assessments
    1. In determining whether to implement and utilize Cloud Services, Data Owners must collaborate with or follow processes developed by the OIS to establish the risk of the specific proposed Cloud Services.
    2.  If the Cloud Services will include Sensitive Data, selection of the recommended Cloud Service Provider must include a risk assessment of the Cloud Service Provider’s data security characteristics.
    3. The risk assessment will be facilitated by OIS and will include certain data fields to be completed by the Data Owner and/or the selected Cloud Service Provider.
    4. The Purchasing Office and Business Contracts Office will assist in ensuring compliance with this Section.
  2. Cloud Service Administration
    1. Data Owners are responsible for ensuring that the use of Cloud Services is consistent with 世界杯官方app and UT System policies, standards, and procedures, as well as the business terms of the contract with the Cloud Service Provider.
    2. Only President-Delegated Authorities may bind 世界杯官方app to a contract. The term “contract” specifically includes web-based “click-to-accept” and “click-wrap” terms of use agreements, which are commonly utilized by Cloud Service Providers. A 世界杯官方app contract without an authorized, delegated signature may be invalid and unenforceable. Business Contracts Office maintains 世界杯官方app’s list of President-Delegated Authorities.
    3. 世界杯官方app Records must not be stored on personally procured third-party Cloud Services (UTS 165 Standard 11.2: Safeguarding Data - Non-世界杯官方app Third-Party Storage Services).
    4. Owners must ensure that Cloud Services maintains a mechanism to allow OIS or an Information Security Administrator to retrieve 世界杯官方app Records in the event the Cloud Service Data User (or Data Users) is no longer associated with 世界杯官方app.

X. SPECIAL INSTRUCTIONS FOR IMPLEMENTATION


None


XI. FORMS AND TOOLS/ONLINE PROCESSES


None

XII. APPENDIX


None


XIII. Dates Approved/Amended


08-02-2022
10-31-2018